AUSA: Soldiers’ iPhones don’t equal cyber dangers

FORT LAUDERDALE, Fla. — The Army’s goal of providing every soldier with a smartphone will not necessarily pose serious cyber risks for the service, said Brig. Gen. Harold Greene, the Program Executive Officer for Intelligence, Electronic Warfare & Sensors.

Of course, he followed that up saying the Army isn’t quite sure yet when it has a cyber vulnerability.

“We don’t have a good metric to measure what is cyber hardened and what is not,” Greene said at the Association of the U.S. Army’s Winter Symposium here.

Army leaders have worked hard to try keep pace with the smartphones most soldiers already own. Officials have acknowledged their acquisition process is too slow.

To help keep up, Army officials chose to use open architecture phones that allow more companies to build the software featured on the phones. Think Android versus Apple, although the Army is quick say it wants to include Apple, which features closed architecture, in the service’s smartphone competition.

Greene said the Army’s choice of open architecture phones does not mean the service is more likely to get hit by cyber attacks.

Concerns still exist inside the service over a cultural shift to empower more soldiers with their own phones. Greene received multiple questions from the crowd over the phones’ safety.

“I don’t equate cyber threats with open versus closed,” Greene said.

Join the Conversation

The Russians ran a “cyber risk” when they used spark gap transmitters on their ships entering the Straights of Tsushima on May 26, 1905! They thought that they could depend on the newfangled wireless communications for C4! The Japanese locked down their keys on THEIR spark gap transmitters and the Russians were left sucking wind.… also perhaps better tactics, gunnery, and equipment added to their demise but.… . . :-) Dont think that anyone took the results as a resounding condemnation of wireless comm!

Smartphones for troops WILL have its downside as well as its much more significant upside.

I agree with you that it open a lot of possibility, and also with the choice of an open platform. But seriously, the downside are very likely to be more vicious than expected. Soldier are likely to use it as a distraction when they should not, easily predictable and manageable to some extends since the phone is the property and under control of the army.

Even with custom hardening, complication are almost infinite. The enemy could track and maps the soldier because of their phone radio signal. The enemy could attack the public infrastructures behind, like the telecommunication tower, a satellite, or everything that can permit them to intercept the radio-communication or to perform an attack as a men in the middle and perhaps even perform cyber-sabotage over remote-controlled equipment (I suppose that soldier will be able to receive information and control those small drones) or at least know the location of such equipment. Or attack could be performed by using fake hardware, the pentagon already experienced a data breach because of someone in the middle east who ended up with fake hardware. Actually even a simple compromised usb key have already lead to a data breach. Or very probably, someone will steal on of these phone without necessarily swapping it for a fake one, and then steal the software and then perform an extended analysis of the hardware up to the transistor level. And after then, real headache will come.

Of course, with a proper configuration many of these issue can be addressed, since they will have total control over it, a big advantage in favor of the open platform. They could configure a passive mode for the phone to recieve intel/orders transmitted through private infrastructure, like a flying drone or whatever else. That would make them untraceable. And I have no doubt that the NSA is already working on an adequate cryptographic system for these smartphones.

I suppose it depends on the usage scenario, but COTS iPhones/Android smartphones are too easily hackable.

The problem with smartphones and any other new technology is that the markets are extremely competitive, which forces OEMs to get product to market very quickly.

Given market pressures strong security is often an afterthought — same issue for things like the cloud.

There’s the issue of device security (OS/crypto/firmware/etc.), but then you also have the issue of how secure a given app is. Will apps have to go through EAL or other and will only approved/secure apps be allowed on the phone?

What about the problem of taking photos with the phone of things that should not be photographed or allowed photography that needs to be guarded? The latter is controllable even if stored on removable memory.

Outside of hacking one must control usage. The same i/o port control software that would have prevented Wikileaks also works to control smart phones and certain apps and I might add uses optional FIPS 140–2 level 1 software encryption (256 bit AES), which is better than nothing.

Next — do all soldiers really need smartphones? I know they’re really “hip,” but they cost a lot of money. So what’s the usage scenario that requires 100% deployment?

Required security will also vary by what type of network to which the phone is connected and the sensitivity of data at rest or in transit and area of usage. I doubt any of these phones contemplate TEMPEST issues.

So by all means leverage advantages gained via the much larger commercial markets, but be patient and make sure anything that is deployed is adequately secure and necessary.

We do not need another Wikileaks.

Put accountability on users and the CIO when things go wrong — particularly the CIO and other senior IT personnel.

I still can’t get my head around how a laptop connected to SIPRNet had no i/o device/app control software.

Was the Army CIO or any other senior IT person disciplined for such a huge oversight? If so haven’t read anything about it. And while Manning should be jailed the point is he shouldn’t have been able to do what he did in the first place.

Finally, comply with NIST/other standards — not much point in having security standards if CIOs don’t follow them.

As for Dino’s, “taking photos with the phone of things that should not be photographed” comment, I completely agree. Beyond the obvious mission security issues, how many times over the past few years have we seen good military careers brought down when pictures or videos of things we’ve all seen or done in combat or just during our military careers, go public on the internet to a civilian population who could never understand such things. Simply the fact that if one has never ‘been there, done that’, then one cannot understand the military mindset or military humor. Often during stressful times such as combat, humor is the only way to persevere and we all know, military humor is NOT the same as civilian humor.
Having a camera phone could greatly enhance intelligence gathering while at the same time, pose great risks to operational security. Perhaps the phones just don’t have a camera. My company Blackberry doesn’t, precisely for operational security reasons. Although at times I wish it did, I’ve adjusted to it just fine.
Semper Fi!

Years ago, our troops were finding Garmin Rhinos on Taliban dead in Afghanistan. The importance of that is that these irregular, untrained, and il-equipped tribesmen had the GPS and communications capabilities that the Army was hoping to put in the hands of our soldiers in 15–20 years! Was it theoretically possible to intercept and exploit the FRS signals that networked the Rhinos.… of course. Was there any interception .… Hmmmm…

By the way, the Rhinos were not designed for ANY sort of security aside from the channelization of FRS and cost around $140 each. But then the Taliban did not have an in-house bureaucracy that needed to tout the risks in order to secure funding! :-) And our troops on the ground were asking their moms and dads to send them Rhinos so that they could have at least the same capability to navigate and communicate as the Taliban (and the shipments were forbidden)!!

I find it hard to justify the cost of equiping every Joe with a smart phone. Do they all really NEED one? Of course not. Add to that the fact that, in Afghanistan at least, there is very limited cell covereage. Just seems like a waste of money.

It depend how you see the smartphone. If you think to a gadget to watch porn and play 0.99$ games, then yes a smartphone is useless. A smartphone is nothing more than a very small computer. On that perspective there is a lot of good opportunities, because not every soldier can carry the weight and the size of a rugged laptop, while a phone is quite compact, can be designed to be waterproof and by its small size, quite robust (just forget about those damn touch screen); it can be carried by everyone if jugged necessary. It can be even tweaked as a two-way radio with no communication tower required. You can litterally pack all the electronics you want into this little box, and all the feature this electronics can give you because a)it’s not a commercial products and b)you got total control over it…

I agree that providing to every soldier a smartphone will be too costly but it can be used more sparingly too, the dream and the reality are probably going to be a little different.

And since the Lightsquared fiasco, we know just how easily any GPS-based system can be jammed, so we should deny our troops ANY GPS-reliant system! I think not!! But if we accept your logic, would that not be the reasonable thing to do? :-)Sent from my iPhone

Once upon a time the US Department of War was dead set against repeating rifles largely because they thought that the troops would waste too much time and ammunition shooting at the enemy! The warriors of the Sioux Indian nation had no such delusion to Custer’s great dismay! :-)

That is not my logic at all. As I’m sure you know, military GPS is encrypted. Lightsquared (unintentionally or not) found a way to jam GPS signals, but with encrypted GPS receivers we can still prevent someone from altering the information it receives. I saw a training video a couple years ago where a guy was able to change the navigational information being send to a Garmin with another device. There’s also some debate as to the accuracy of a DAGR versus a Garmin or Rhino for something as precise as land nav or calling for fire.

The odds of the Taliban deliberately trying to hack our DAGRs is probably pretty small, but why take the risk? Early in the war when comms were limited, soldiers were buying walkie talkies for their squads because dismounted radios hadn’t reach that level yet. It was a great idea until we discovered Iraqi insurgents shopped at the same sporting goods store we were and were listening in.

I think that you need to read the technical report on the jamming “technique” that caused the Lightsquared interference issues as well as the precise implementation of “encryption” used in military GPS systems. This is not the best forum for describing either. :-)

You take the risk because of the benefit conveyed. Why would I EVER want to tie each soldier in on a position and status reporting network with voice and data comm? Its more weight, its more batteries, its more opportunity to betray you position and intent? Why not can the whole soldier radio concept? The reason is really basic! Such a capability, even with all of the implied risks, enhances the combat effectiveness of the guys on the ground.

Are there perhaps a few more risks incurred by using a COTS system to provide the capability? Of course! BUT those risks have to be balanced against the $140 cost, and more importantly the immediate deployability of the system! Who cares if the best possible system could be provided 20 years in the future if a serviceable system can be delivered for a rather miniscule cost today! The Army bureaucracy, and specifically that bureaucracy that requires the “perfect system” development cycle that is its lifeblood, overrode the Sgts and Lts that needed to be able to talk to and find their troops! So much for the “supporting for the warfighter” I guess!

Vered Harim is based on secure cellular technology (TETRA) that has been around for 10 years or so. The TETRA system has been used OCONUS by NATO, Israelis, and a host of other countries military and “first responder” networks and you STILL can not buy a Japanese-made scanner that can handle the security. For all of those years that the DoD was “gaming” the JTRS program, civilian requirements (secure 1st responder comm), and other countries acceptance of cellular technology advanced the state of the art. Now we are left with tin cans and string, and resorting to at least debatably non-secure commercial cellular, while the Singaporean police force has a solidly secure tactical/cellular comm! Admittedly, TETRA is a fairly low data rate compared to some other cellular formats, but.… it also offers “through the wall” capability that ATT would envy. AND it can not be readily “hacked” in real or near-real time. AND the handhelds can be had for hundreds of dollars instead of tens of thousands of dollars! AND its available today!!

LOL! I gather that you would vote against deploying smart phone technology? Own any stock in a JTRS compliant company? :-)

The “responsibility” for communications security will always have to rest on the individual user. If I want to have the most secure communications system in the world, its very easy to implement. Turn the ON/OFF switch to the OFF position! We would then revert to the pre-telegraph army C4 of the Napoleonic era! ABSOLUTE security would be achieved without any “compliance requirement” on the lower echelons.

As for holding the users responsible for compliance with the necessary security measures, it does so woefully limit creativity and individual initiative, and we KNOW that accountability is one of those anathemas of the current system. <sarcasm dripping>

Thinking, I’m all for getting gear to the guys on the ground as soon as possible (I’m one of them), but you also can’t just wish away OPSEC and INFOSEC concerns. The “perfect system” doesn’t exist especially where IT is concerned, but you can’t just broadcast in open air either. Military history is full of battles lost because of compromised communications. I fully embrace where smartphones are going and what they can do for us on the battlefield. One of the great things about the phones is you can constantly update whatever software and security you use on it. Get it out there now with low-risk apps, and gradually add to it when we’re more comfortable with its capabilities.

USBs and CD-Rs used to be allowed on SIPRNET computers because of the need and convenience of transferring data from one one staff section to another without filling up email inboxes. Then classified USBs ended up in the FOB laundromat and in Afghan markets, and Bradley Manning copied everything in site and walked out with it. Sometimes those cumbersome security policies are in place to save soldiers from themselves.

LoL! Yes, there are very real OpSEC and COMSEC concerns with any IT or comm system. It’s also inescapable no matter how much high tech you try to throw at it. To steal a line from all of the acquisition classes, a need CAN be addressed with personnel, procedures, or systems. If I operate on an open tactical network passing status and location left and right, up and down with encryption that takes two or three days to “hack” is that network satisfactorily secure for tactical operations, or do you deny the comm capability until the TACTICAL net is secure enough to also pass SIOP?Sent from my iPhone

LOL — Nope nor do I work for or earn money from a company that produces any type of radio, cell or other com device.

However, I do know that one can hack into these devices at will and as I said by all means leverage advances gained by commercial markets — just make sure the security is a bit better than what the commercial user has.

I think you missed the important part of DoubleL’s comment. Just where, exactly, do expect soldiers to be using these smartphones? Back at the base? That hardly seems like a critical operational need. On the battlefield? How many battlefields come with cell towers pre-installed? Of those, how many are on networks you trust enough to carry your tactical voice/data?

Even if smartphones were perfectly secure, they still only work in 1% of the places we might find ourselves fighting in.

Name*

Mail (will not be published)*

Website

*required

Notify me of follow-up comments by email.

Notify me of new posts by email.

NOTE: Comments are limited to 2500 characters and spaces.

By commenting on this topic you agree to the terms and conditions of our User Agreement